<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- saved from url=(0074)file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html -->
<HTML lang="en"><HEAD><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><TITLE>Draft: OpenID Artifact Binding 1.0 - Draft03</TITLE>
<META name="description" content="OpenID Artifact Binding 1.0 - Draft03">
<META name="generator" content="xml2rfc v1.35 (http://xml.resource.org/)">
<STYLE type="text/css"><!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
font-size: small; color: #000; background-color: #FFF;
margin: 2em;
}
h1, h2, h3, h4, h5, h6 {
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
font-weight: bold; font-style: normal;
}
h1 { color: #900; background-color: transparent; text-align: right; }
h3 { color: #333; background-color: transparent; }
td.RFCbug {
font-size: x-small; text-decoration: none;
width: 30px; height: 30px; padding-top: 2px;
text-align: justify; vertical-align: middle;
background-color: #000;
}
td.RFCbug span.RFC {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: bold; color: #666;
}
td.RFCbug span.hotText {
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: normal; text-align: center; color: #FFF;
}
table.TOCbug { width: 30px; height: 15px; }
td.TOCbug {
text-align: center; width: 30px; height: 15px;
color: #FFF; background-color: #900;
}
td.TOCbug a {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-weight: bold; font-size: x-small; text-decoration: none;
color: #FFF; background-color: transparent;
}
td.header {
font-family: arial, helvetica, sans-serif; font-size: x-small;
vertical-align: top; width: 33%;
color: #FFF; background-color: #666;
}
td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
td.author-text { font-size: x-small; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a { font-weight: bold; }
a:link { color: #900; background-color: transparent; }
a:visited { color: #633; background-color: transparent; }
a:active { color: #633; background-color: transparent; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small; }
p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
/* RFC-2629 <spanx>s and <artwork>s. */
em { font-style: italic; }
strong { font-weight: bold; }
dfn { font-weight: bold; font-style: normal; }
cite { font-weight: normal; font-style: normal; }
tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
font-family: "Courier New", Courier, monospace; font-size: small;
}
pre {
text-align: left; padding: 4px;
color: #000; background-color: #CCC;
}
pre dfn { color: #900; }
pre em { color: #66F; background-color: #FFC; font-weight: normal; }
pre .key { color: #33C; font-weight: bold; }
pre .id { color: #900; }
pre .str { color: #000; background-color: #CFF; }
pre .val { color: #066; }
pre .rep { color: #909; }
pre .oth { color: #000; background-color: #FCF; }
pre .err { background-color: #FCC; }
/* RFC-2629 <texttable>s. */
table.all, table.full, table.headers, table.none {
font-size: small; text-align: center; border-width: 2px;
vertical-align: top; border-collapse: collapse;
}
table.all, table.full { border-style: solid; border-color: black; }
table.headers, table.none { border-style: none; }
th {
font-weight: bold; border-color: black;
border-width: 2px 2px 3px 2px;
}
table.all th, table.full th { border-style: solid; }
table.headers th { border-style: none none solid none; }
table.none th { border-style: none; }
table.all td {
border-style: solid; border-color: #333;
border-width: 1px 2px;
}
table.full td, table.headers td, table.none td { border-style: none; }
hr { height: 1px; }
hr.insert {
width: 80%; border-style: none; border-width: 0;
color: #CCC; background-color: #CCC;
}
--></STYLE>
</HEAD><BODY>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<TABLE summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><TBODY><TR><TD><TABLE summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<TBODY><TR><TD class="header">Draft</TD><TD class="header"> openid-specs-ab@openid.net</TD></TR>
<TR><TD class="header"> </TD><TD class="header">April 14, 2010</TD></TR>
</TBODY></TABLE></TD></TR></TBODY></TABLE>
<H1><BR>OpenID Artifact Binding 1.0 - Draft03</H1>
<H3>Abstract</H3>
<P>OpenID Authentication 2.0 defines the method to move Authentication and associated extension requests among the User, Relying Party, and the OpenID provider through HTTP POST or GET, i.e., it defines the POST and GET binding for OpenID messaging. This specification defines the Artifact Binding that sends the OpenID message directly from the Relying Party to the OpenID Provider and passes only a small reference data called Artifact through the browser so that large payload can be moved between the Relying Party and the OpenID Provider without hitting the browser URL and HTTP header size limitation. It also has value that it is more secure. In addition, by requiring HTTPS for the direct communication, it removed the requirement for symmetric signature on the assertion as well as the association that are required in OpenID Authentication 2.0 (POST/GET binding) making it dramatically simpler to implement. As higher security options, it introduces asymmetric signature and a variable to hold public key of the user so that it can also be used to send holder-of-key assertion. It also optionally encrypts the assertion for more security. If the relying party desires, it may also request other type of assertion other than Key-Value based one.
</P><A name="toc"></A><BR><HR>
<H3>Table of Contents</H3>
<P class="toc">
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#anchor1">1.</A>
Requirements Notation and Conventions<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#terminology">2.</A>
Terminology<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#anchor2">3.</A>
Protocol Overview<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#anchor3">4.</A>
Data Formats<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#anchor4">5.</A>
Communication Types<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#generating_signatures">6.</A>
Generating Signatures<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#anchor5">7.</A>
Protocol<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#initiation">7.1.</A>
Initiation<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#normalization">7.2.</A>
Normalization<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#discovery">7.3.</A>
Discovery<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#direct_authentication_request">7.4.</A>
Direct Authencitaction Request (Optional)<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#direct_authentication_request_response">7.5.</A>
Direct Authentication Request Response<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#artifact_authentication_request">7.6.</A>
Artifact Authentication Request<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#artifact_authentication_response">7.7.</A>
Artifact Authentication Response<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#direct_assertion_request">7.8.</A>
Direct Assertion Request<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#direct_assertion_response">7.9.</A>
Direct Assertion Response<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#verification">7.10.</A>
Verifying Assertions<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#extensions">8.</A>
Extensions<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#rp_discovery">9.</A>
Discovering OpenID Relying Parties<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#security_considerations">10.</A>
Security Considerations<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#assertion_manufacture">10.1.</A>
Assertion manufacture/modification<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#assertion_disclosure">10.2.</A>
Assertion disclosure<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#assertion_repudiation">10.3.</A>
Assertion repudiation<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#assertion_redirect">10.4.</A>
Assertion redirect<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#assertion_reuse">10.5.</A>
Assertion reuse<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#artifact_manufacture">10.6.</A>
Secondary authenticator manufacture<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#artifact_capture">10.7.</A>
Secondary authenticator capture<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#assertion_substitution">10.8.</A>
Assertion substitution<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#auth_req_disclosure">10.9.</A>
Authentication Request Disclosure<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#authn_proc_threats">10.10.</A>
Authentication Process Threats<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#comformance">11.</A>
Comformance<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#acknowledgements">12.</A>
Appendix A. Acknowledgements<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#anchor6">Appendix A.</A>
Acknowledgements<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#rfc.references1">13.</A>
Normative References<BR>
<A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#rfc.authors">§</A>
Author's Address<BR>
</P>
<BR clear="all">
<A name="anchor1"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.1"></A><H3>1.
Requirements Notation and Conventions</H3>
<P>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#RFC2119">[RFC2119]<SPAN> (</SPAN><SPAN class="info">Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels,” .</SPAN><SPAN>)</SPAN></A> .
</P>
<P>Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
</P>
<A name="terminology"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.2"></A><H3>2.
Terminology</H3>
<P>In addition to the terminology used in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> , following terms are used.
</P>
<P></P>
<BLOCKQUOTE class="text"><DL>
<DT>Artifact:</DT>
<DD>An Artifact is a small text associated with the larger payload that identifies the payload.
</DD>
</DL></BLOCKQUOTE>
<A name="anchor2"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.3"></A><H3>3.
Protocol Overview</H3>
<P></P>
<OL class="text">
<LI>The end user <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#initiation">initiates authentication<SPAN> (</SPAN><SPAN class="info">Initiation</SPAN><SPAN>)</SPAN></A> by presenting a User-Supplied Identifier to the Relying Party via their User-Agent.
</LI>
<LI>After normalizing the User-Supplied Identifier, the Relying Party performs discovery on it and establishes the OP Endpoint URL that the end user uses for authentication. It should be noted that the User-Supplied Identifier may be an OP Identifier, as discussed in Section 7.3.1 of OpenID Authentication 2.0, which allows selection of a Claimed Identifier at the OP or for the protocol to proceed without a Claimed Identifier if something else useful is being done via an?extension.
</LI>
<LI>The Relying Party Sends the OpenID Authentication Request to the OP via direct communication and obtains an Artifact, or creates request parameter file and assignes a URL for it so that it can send it in the next step.
</LI>
<LI>The Relying Party redirects the end user's User-Agent to the OP with an OpenID <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#artifact_authentication_request">Artifact Authentication request<SPAN> (</SPAN><SPAN class="info">Artifact Authentication Request</SPAN><SPAN>)</SPAN></A> .
</LI>
<LI>The OP establishes whether the end user is authorized to perform OpenID Authentication and wishes to do so. The manner in which the end user authenticates to their OP and any policies surrounding such authentication is out of scope for this document.
</LI>
<LI>The OP redirects the end user's User-Agent back to the RP with Artifact Authentication Response.
</LI>
<LI>The RP GETs the assertion from the OP through direct communication (Direct Assertion Request and Response.)
</LI>
<LI>The Relying Party <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#verification">verifies<SPAN> (</SPAN><SPAN class="info">Verifying Assertions</SPAN><SPAN>)</SPAN></A> the information received from the OP including checking the Return URL, verifying the discovered information, checking the nonce, and verifying the signature by using either the shared key established during the association or by sending a direct request to the OP.
</LI>
</OL>
<P>A Typical sequence can be depicted as follows: </P>
<DIV style="display: table; width: 0; margin-left: 3em; margin-right: auto"><PRE>User->UA: Click Login
UA->RP: Login with identifier
RP->RP: Normalize identifier
RP->OP: Get XRDS
RP->RP: Find Service
RP->OP: Direct AuthN Req
OP->OP: Create Artifact
OP->OP: Store Request
OP-->RP: Artifact
RP-->UA: Artifact Authentication Request
UA->OP: Artifact Authentication Request
opt If not immediate
OP-->UA: Credential Input Screen
User->UA: Input Credential
UA->OP: POST credential
OP->OP: Check credential
end
OP->OP: Store Assertion
OP-->UA: Artifact Authentication Response
UA->RP: Artifact Authentication Response
RP->OP: Direct Assertion Request
OP-->RP: Direct Assertion Response
RP->RP: Verify Assertion
RP-->UA: Session</PRE></DIV><P>
</P>
<A name="anchor3"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.4"></A><H3>4.
Data Formats</H3>
<P>Data Format is the same as in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> section 4.
</P>
<A name="anchor4"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.5"></A><H3>5.
Communication Types</H3>
<P>Communication Types are the same as in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> section 5 apart from the fact that we call "indirect" in the above as "redirect" to avoid confusion in the terminology used at NIST SP800-63. In addition to those defined, the Artifact Binding uses Direct Communication for sending and receiving authentication message. All Direct Communication MUST be over SSL/TLS channel.
</P>
<A name="generating_signatures"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.6"></A><H3>6.
Generating Signatures</H3>
<P>Artifact Binding does not use symetric signature.
</P>
<P>To achieve higher level assurance levels, one MAY use asymetric signature as in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#magic_signatures">[magic_signatures]<SPAN> (</SPAN><SPAN class="info">Panzer, J., “Magic Signatures,” February 2010.</SPAN><SPAN>)</SPAN></A> where parameters are as follows.
</P>
<P></P>
<BLOCKQUOTE class="text">
<P>"data_type":"application/x-key-value-form"
</P>
<P>"encoding":"base64url"
</P>
<P>"alg":"RSA-SHA256"
</P>
</BLOCKQUOTE>
<P></P>
<OL class="text">
<LI>Convert the list of key/value pairs to be signed to an octet string by encoding with Key-Value Form Encoding as specified in 4.1.1 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A>. It MUST include the sigalg as well. Supported signature algorithm at this time is RSA-SHA1.
</LI>
<LI>Apply the signature algorithm specified in the request to the octet string.
</LI>
<LI>The value yeilded by the signature algorithm is <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#RFC2045">base64 encoded<SPAN> (</SPAN><SPAN class="info">Freed et al. , N., “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies,” .</SPAN><SPAN>)</SPAN></A> [RFC2045]
</LI>
</OL>
<A name="anchor5"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7"></A><H3>7.
Protocol</H3>
<A name="initiation"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.1"></A><H3>7.1.
Initiation</H3>
<P>To initiate OpenID Authentication, the Relying Party SHOULD present the end user with a form that has a field for entering a User-Supplied Identifier.
</P>
<P>The form field's "name" attribute SHOULD have the value "openid_identifier", so that User-Agents can automatically determine that this is an OpenID form. Browser extensions or other software that support OpenID Authentication may not detect a Relying Party's support if this attribute is not set appropriately.
</P>
<A name="normalization"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.2"></A><H3>7.2.
Normalization</H3>
<P></P>
<OL class="text">
<LI>If the user supplied identifier string starts with "xri://", strip it.
</LI>
<LI>If the user supplied identifier string starts with "=", "@", "+", "$", "!", or "(", add https://xri.net/ to the string.
</LI>
<LI>If the user supplied identifier starts with http:// or https:// do nothing.
</LI>
<LI>If there is no user supplied identifier, assume http://openid.net/spec/identifier_select.
</LI>
</OL>
<A name="discovery"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.3"></A><H3>7.3.
Discovery</H3>
<P>Discovery is the process where the Relying Party uses the Identifier to look up ("discover") the necessary information for initiating requests. </P>
<OL class="text">
<LI>For the resulting URL, Yadis protocol SHALL be first attempted. If it succeeds, the result is an XRDS document from which one should discover the following elements:
</LI>
<LI>If the Yadis protocol fails and no valid XRDS document is retrieved, or no Service Elements are found in the XRDS document, the URL is retrieved and HTML-Based discovery SHALL be attempted.
</LI>
</OL>
<A name="direct_authentication_request"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.4"></A><H3>7.4.
Direct Authencitaction Request (Optional)</H3>
<P>Via the Direct Authentication Request, the authentication request together with other extensions request such as AX and PAPE requests are sent to the OP Endpoint URL that was discovered previously. Direct Request is always over the SSL connection. No signature is required, but return_to is required and must match what is being advertised in the RP's XRDS. Also, the XRDS MUST contain CanonicalID (Subject in XRD), and this must be included in the request.
</P>
<P>Conceptually, here are two modes: "push" OR "pull".
</P>
<P>"Push" is an HTTP POST to the endpoint URL with all the parameter while "Pull" is the mode where only the URL of the "request parameter file" that includes all the "Push" parameters are handed to the OP in the "Artifact Authentication Request".
</P>
<P>"Push" Parameters sent are as follows:
</P>
<P></P>
<UL class="text">
<LI>openid.ns
<BLOCKQUOTE class="text">
<P>Value: "http://specs.openid.net/auth/2.0"
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.mode
<BLOCKQUOTE class="text">
<P>Value: "direct_checkid_immediate" or "direct_checkid_setup"
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.claimed_id
<BLOCKQUOTE class="text">
<P>Value: (optional) The Claimed Identifier.
</P>
<P>"openid.claimed_id" and "openid.identity" SHALL be either both present or both absent. If neither value is present, the assertion is not about an identifier, and will contain other information in its payload, using <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#extensions">extensions<SPAN> (</SPAN><SPAN class="info">Extensions</SPAN><SPAN>)</SPAN></A> .
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.identity
<BLOCKQUOTE class="text">
<P>Value: (optional) The OP-Local Identifier.
</P>
<P>If a different OP-Local Identifier is not specified, the claimed identifier MUST be used as the value for openid.identity.
</P>
<P>Note: If this is set to the special value "http://specs.openid.net/auth/2.0/identifier_select" then the OP SHOULD choose an Identifier that belongs to the end user. This parameter MAY be omitted if the request is not about an identifier (for instance if an extension is in use that makes the request meaningful without it; see openid.claimed_id above).
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.return_to
<BLOCKQUOTE class="text">
<P>Value: (optional) URL to which the OP SHOULD return the User-Agent with the response indicating the status of the request.
</P>
<P>Note: If this value is not sent in the request it signifies that the Relying Party does not wish for the end user to be returned.
</P>
<P>Note: The return_to URL MAY be used as a mechanism for the Relying Party to attach context about the authentication request to the authentication response. This document does not define a mechanism by which the RP can ensure that query parameters are not modified by outside parties; such a mechanism can be defined by the RP itself.
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.enckey
<BLOCKQUOTE class="text">
<P>Value: (optional) Base64 public key certificate for encryption.
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.atype
<BLOCKQUOTE class="text">
<P>Value: (optional) Type of assertion to be returned at the end. "openid2" or "wss" or "saml2". Default is openid2. "wss" stands for WS-Security, "saml2" stands for SAML version 2.
</P>
</BLOCKQUOTE>
</LI>
</UL><P>Request Parameter File (rpf) is created by capturing all the above parameters into UTF-8 JSON format file, e.g.,
</P>
<P></P>
<DIV style="display: table; width: 0; margin-left: 3em; margin-right: auto"><PRE>{
"openid.ns":"http://specs.openid.net/auth/2.0",
"openid.mode":"direct_checkid_setup",
"openid.return_to":"https://example.com/rp/endpoint_url"
"openid.ns.ax":"http://openid.net/srv/ax/1.0"
"openid.ax.mode":"fetch_request"
"openid.ax.type.fname":"http://example.com/schema/fullname"
"openid.ax.type.gender":"http://example.com/schema/gender"
"openid.ax.required":"fname,gender"
"openid.ax.update_url":"http://idconsumer.com/update?transaction_id=a6b5c4"
}
</PRE></DIV><P>
</P>
<A name="direct_authentication_request_response"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.5"></A><H3>7.5.
Direct Authentication Request Response</H3>
<P>When Direct Authentication Request is received successfully, the OP performs request validation. Request validation includes Return URL Verification as in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> section 9.2.
</P>
<P>If the request is valid, the OP returns the following fields in the HTTP response body.
</P>
<P></P>
<UL class="text">
<LI>openid.ns
<BLOCKQUOTE class="text">
<P>Value: "http://specs.openid.net/auth/2.0"
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.mode
<BLOCKQUOTE class="text">
<P>Value: direct_checkid_accepted
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.artifact
<BLOCKQUOTE class="text">
<P>Value: A unique short string less than 400 characters. The Artifact may be used over a redirect request, the Artifact Authentication Request, subsequently.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<A name="artifact_authentication_request"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.6"></A><H3>7.6.
Artifact Authentication Request</H3>
<P>Upon receipt of the Artifact, RP should send the Artifact Authentication Request to the OP. Fields are as follows:
</P>
<P></P>
<UL class="text">
<LI>openid.ns
<BLOCKQUOTE class="text">
<P>As specified in Section 4.1.2 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> .
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.mode
<BLOCKQUOTE class="text">
<P>Value: art_req
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.artifact
<BLOCKQUOTE class="text">
<P>Value: (Optional) The Artifact value returned by OP on <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#direct_authentication_request_response">Section 7.5<SPAN> (</SPAN><SPAN class="info">Direct Authentication Request Response</SPAN><SPAN>)</SPAN></A> . Only either the openid.artifact or openid.ppfurl should be present in a request.
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.rpfurl
<BLOCKQUOTE class="text">
<P>Value: (Optional) URL of the request parameter file. Optionally, one can put the SHA256 hash of the file after "#". Only either the openid.artifact or openid.ppfurl should be present in a request.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<A name="artifact_authentication_response"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.7"></A><H3>7.7.
Artifact Authentication Response</H3>
<P>Upon receipt of the Artifact Authentication Request, the OP determines if it should retrive the request parameter based on artifact or rpfurl. If it is to be based on the artifact, the OP retrieves it in the manner OP implemented it. If it were to be retrieved from rpfurl, then the OP MUST send a GET request to the rpfurl to retrieve the content and parse it to recreate the request parameters. Once this is done, the OP MUST determine that an authorized end user wishes to complete the authentication in the manner described in Section 10 of the <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> . Once it is determined, the OP creates either positive or negative assertion and associated artifact and returns the response as follows:
</P>
<P></P>
<UL class="text">
<LI>openid.ns
<BLOCKQUOTE class="text">
<P>As specified in Section 4.1.2 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> .
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.mode
<BLOCKQUOTE class="text">
<P>Value: "art_res"
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.artifact
<BLOCKQUOTE class="text">
<P>Value: The Artifact value corresponding to the Assertion is created. The Artifact value must include the string constructed from a cryptographically strong random or pseudorandom number sequence [RFC1750] generated by the OP.
</P>
<P>If the Request Artifact was not found at the OP, it MUST be a string "INVALID".
</P>
</BLOCKQUOTE>
</LI>
</UL>
<P>No other parameter should be returned.
</P>
<A name="direct_assertion_request"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.8"></A><H3>7.8.
Direct Assertion Request</H3>
<P>If valid openid.artifact was returned, the RP SHOULD request the OP in direct communication with the following parameters:
</P>
<P></P>
<UL class="text">
<LI>openid.ns
<BLOCKQUOTE class="text">
<P>As specified in Section 4.1.2 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> .
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.mode
<BLOCKQUOTE class="text">
<P>Value: "direct_assertion_req"
</P>
</BLOCKQUOTE>
</LI>
<LI>openid.artifact
<BLOCKQUOTE class="text">
<P>Value: The Artifact value received in the <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#artifact_authentication_response">Section 7.7<SPAN> (</SPAN><SPAN class="info">Artifact Authentication Response</SPAN><SPAN>)</SPAN></A> Artifact Authentication Response.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<P>On receipt of such request, the OP should return the assertion created previously as the payload of the response to this request.
</P>
<A name="direct_assertion_response"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.9"></A><H3>7.9.
Direct Assertion Response</H3>
<P>Upon receipt of the Direct Assertion Request, OP MUST return either Positive or Negative Assertion as defined in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> in the HTTP/S response body with the exception of openid.invalidate_handle, openid.assoc_handle, openid.signed, openid.sig, which are unnecessary. At the same time, this specification defines the following variable.
</P>
<P></P>
<UL class="text">
<LI>openid.proofkey
<BLOCKQUOTE class="text">
<P>Value: (optional) X.509 public key certificate of the user being authenticated.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<P>It is also possible to apply signature to the assertion. In this case, the assertion will be encoded into Magic Signature <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#magic_signatures">[magic_signatures]<SPAN> (</SPAN><SPAN class="info">Panzer, J., “Magic Signatures,” February 2010.</SPAN><SPAN>)</SPAN></A>Format with the parameters described in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#generating_signatures">Section 6<SPAN> (</SPAN><SPAN class="info">Generating Signatures</SPAN><SPAN>)</SPAN></A> .
</P>
<P>Further, the payload may be encrypted. If it is encrypted, the data is formatted as follows in JSON as defined in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#RFC4627">[RFC4627]<SPAN> (</SPAN><SPAN class="info">Crockford, D., “The application/json Media Type for JavaScript Object Notation (JSON),” .</SPAN><SPAN>)</SPAN></A> .
</P>
<P></P>
<UL class="text">
<LI>"encdata"
<BLOCKQUOTE class="text">
<P>Value: Encrypted data which is base64url encoded as in <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#magic_signatures">[magic_signatures]<SPAN> (</SPAN><SPAN class="info">Panzer, J., “Magic Signatures,” February 2010.</SPAN><SPAN>)</SPAN></A> .
</P>
</BLOCKQUOTE>
</LI>
<LI>"enckey"
<BLOCKQUOTE class="text">
<P>Value: (Optional) Public key encrypted then base64 encoded symmetric encryption key that was used for the encryption of the payload.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<UL class="text">
<LI><P>"enciv" </P>
<BLOCKQUOTE class="text">
<P>Value: (Optional) Base64 encoded initialization vector.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<UL class="text">
<LI><P>"enctype" </P>
<BLOCKQUOTE class="text">
<P>Value: (Optional) String expressing the encryption type. Default is "plain" which stands for no encryption. Other possible values are "CFB-256-128-PKCS5_PADDING", which means CFB mode, 256bit key, 128bit block, PKCS-5 padding encryption.
</P>
</BLOCKQUOTE>
</LI>
</UL>
<A name="verification"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.10"></A><H3>7.10.
Verifying Assertions</H3>
<P>Assertion verification is done as in Section 11.1 to 11.3 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> . In addition, if signature is used, the following signature verification must be performed.
</P>
<A name="signature_verification"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.7.10.1"></A><H3>7.10.1.
Signature Verification. </H3>
<P>Signature verification is performed in the following steps.
</P>
<P></P>
<OL class="text">
<LI>Base 64 decode the openid.response.
</LI>
<LI>Calculate the signature over it and compaire it with openid.sig.
</LI>
</OL>
<P>
</P>
<A name="extensions"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.8"></A><H3>8.
Extensions</H3>
<P>Extensions are as defined in Section 12 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> . In addition, this specification adds “artifact” in the disallowed aliases.
</P>
<A name="rp_discovery"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.9"></A><H3>9.
Discovering OpenID Relying Parties</H3>
<P>Relying Party Discovery is as in Section 13 of <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#OpenID.authentication-2.0">[OpenID.authentication‑2.0]<SPAN> (</SPAN><SPAN class="info">specs@openid.net, “OpenID Authentication 2.0,” 2007.</SPAN><SPAN>)</SPAN></A> . Note that since signature is not used in some cases, RP supporting Artifact Binding MUST support this feature.
</P>
<P>Non-normative example:
</P>
<P></P>
<DIV style="display: table; width: 0; margin-left: 3em; margin-right: auto"><PRE><XRD>
<CanonicalID>http://rp.example.com/#134592834fjs02</CanonicalID>
<Service xmlns="xri://$xrd*($v*2.0)">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://consumer.example.com/return</URI>
</Service>
</XRD></PRE></DIV><P>
</P>
<A name="security_considerations"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10"></A><H3>10.
Security Considerations</H3>
<P>Followings are the list of attack vectors and remedies that were considered for this specification.
</P>
<P>For details of the attack vector, see <A class="info" href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#SP800-63">[SP800‑63]<SPAN> (</SPAN><SPAN class="info">, “NIST SP800-63rev.1: Electronic Authentication Guideline,” December 2008.</SPAN><SPAN>)</SPAN></A>.
</P>
<A name="assertion_manufacture"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.1"></A><H3>10.1.
Assertion manufacture/modification</H3>
<P>To be completed.
</P>
<A name="assertion_disclosure"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.2"></A><H3>10.2.
Assertion disclosure</H3>
<P>To be completed.
</P>
<A name="assertion_repudiation"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.3"></A><H3>10.3.
Assertion repudiation</H3>
<P>To be completed.
</P>
<A name="assertion_redirect"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.4"></A><H3>10.4.
Assertion redirect</H3>
<P>To be completed.
</P>
<A name="assertion_reuse"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.5"></A><H3>10.5.
Assertion reuse</H3>
<P>To be completed.
</P>
<A name="artifact_manufacture"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.6"></A><H3>10.6.
Secondary authenticator manufacture</H3>
<P>To be completed.
</P>
<A name="artifact_capture"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.7"></A><H3>10.7.
Secondary authenticator capture</H3>
<P>To be completed.
</P>
<A name="assertion_substitution"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.8"></A><H3>10.8.
Assertion substitution</H3>
<P>To be completed.
</P>
<A name="auth_req_disclosure"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.9"></A><H3>10.9.
Authentication Request Disclosure</H3>
<P>To be completed.
</P>
<A name="authn_proc_threats"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.10.10"></A><H3>10.10.
Authentication Process Threats</H3>
<P>In the category of Authentication Process Threats, following threats exists.
</P>
<P></P>
<UL class="text">
<LI>Online guessing
</LI>
<LI>Phishing
</LI>
<LI>Pharming
</LI>
<LI>Eavesdropping
</LI>
<LI>Repley
</LI>
<LI>Session hijack
</LI>
<LI>Man-in-the-middle
</LI>
</UL><P>Authentication process per se as described in NIST SP800-63-rev1 is out of scope for this protocol, but care should be taken to achieve appropriate protection.
</P>
<A name="comformance"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.11"></A><H3>11.
Comformance</H3>
<P>To be completed.
</P>
<A name="acknowledgements"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.12"></A><H3>12.
Appendix A. Acknowledgements</H3>
<P>As a binding of OpenID Authentication, this specification heavily relies on OpenID Authentication 2.0. Please refer to Appendix C of OpenID Authentication 2.0 for the full list of the contributors for OpenID Authentication 2.0.
</P>
<P>In addition, the OpenID Community would like to thank the following people for the work they've done in the drafting and editing of this specification.
</P>
<P></P>
<BLOCKQUOTE class="text">
<P>Breno de Madiros (breno@gmail.com)
</P>
<P>Hideki Nara (hideki.nara@gmail.com)
</P>
<P>John Bradley (jbradely@mac.com)
</P>
<P>Nat Sakimura (sakimura@gmail.com) <author/editor>
</P>
</BLOCKQUOTE>
<A name="anchor6"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<A name="rfc.section.A"></A><H3>Appendix A.
Acknowledgements</H3>
<P>
</P>
<A name="rfc.references1"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<H3>13. Normative References</H3>
<TABLE width="99%" border="0">
<TBODY><TR><TD class="author-text" valign="top"><A name="FIPS180-2">[FIPS180-2]</A></TD>
<TD class="author-text">U.S. Department of Commerce and National Institute of Standards and Technology, “<A href="http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf">Secure Hash Signature Standard</A>,” FIPS 180-2.<P>
Defines Secure Hash Algorithm 256 (SHA256)
</P>
</TD></TR>
<TR><TD class="author-text" valign="top"><A name="HTML401">[HTML401]</A></TD>
<TD class="author-text">W3C, “<A href="http://www.w3.org/TR/html401">HTML 4.01 Specification</A>.”</TD></TR>
<TR><TD class="author-text" valign="top"><A name="OpenID.authentication-2.0">[OpenID.authentication-2.0]</A></TD>
<TD class="author-text">specs@openid.net, “OpenID Authentication 2.0,” 2007 (<A href="http://www.openid.net/specs/openid-authentication-2_0.txt">TXT</A>, <A href="http://www.openid.net/specs/openid-authentication-2_0.html">HTML</A>).</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC1750">[RFC1750]</A></TD>
<TD class="author-text">Eastlake, D., Crocker, S., and J. Schiller, “<A href="http://tools.ietf.org/html/rfc1750">Randomness Recommendations for Security</A>,” RFC 1750.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC2045">[RFC2045]</A></TD>
<TD class="author-text">Freed et al. , N., “<A href="http://tools.ietf.org/html/rfc2045">Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</A>,” RFC 2045.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC2104">[RFC2104]</A></TD>
<TD class="author-text">Krawczyk, H., Bellare, M., and R. Canetti, “<A href="http://tools.ietf.org/html/rfc2104">HMAC: Keyed-Hashing for Message Authentication</A>,” RFC 2104.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC2119">[RFC2119]</A></TD>
<TD class="author-text">Bradner, B., “<A href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</A>,” RFC 2119.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC2616">[RFC2616]</A></TD>
<TD class="author-text">Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “<A href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</A>,” RFC 2616.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC2631">[RFC2631]</A></TD>
<TD class="author-text">Rescorla, E., “<A href="http://tools.ietf.org/html/rfc2631">Diffie-Hellman Key Agreement Method</A>,” RFC 2631.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC3548">[RFC3548]</A></TD>
<TD class="author-text">Josefsson, S., “<A href="http://tools.ietf.org/html/rfc3548">The Base16, Base32, and Base64 Data Encodings</A>,” RFC 3548.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC3629">[RFC3629]</A></TD>
<TD class="author-text">Yergeau, F., “<A href="http://tools.ietf.org/html/rfc3629">UTF-8, a transformation format of Unicode and ISO 10646</A>,” RFC 3629.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC3986">[RFC3986]</A></TD>
<TD class="author-text">Berners-Lee, T., “<A href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifiers (URI): Generic Syntax</A>,” RFC 3986.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="RFC4627">[RFC4627]</A></TD>
<TD class="author-text">Crockford, D., “<A href="http://tools.ietf.org/html/rfc4627">The application/json Media Type for JavaScript Object Notation (JSON)</A>,” RFC 4627.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="SP800-63">[SP800-63]</A></TD>
<TD class="author-text">“NIST SP800-63rev.1: Electronic Authentication Guideline,” December 2008.</TD></TR>
<TR><TD class="author-text" valign="top"><A name="magic_signatures">[magic_signatures]</A></TD>
<TD class="author-text">Panzer, J., “<A href="http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html">Magic Signatures</A>,” February 2010.</TD></TR>
</TBODY></TABLE>
<A name="rfc.authors"></A><BR><HR>
<TABLE summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><TBODY><TR><TD class="TOCbug"><A href="file:///C:/DOCUME~1/nat/LOCALS~1/Temp/xml2rfc-xxe-2801899079746774201.html#toc"> TOC </A></TD></TR></TBODY></TABLE>
<H3>Author's Address</H3>
<TABLE width="99%" border="0" cellpadding="0" cellspacing="0">
<TBODY><TR><TD class="author-text"> </TD>
<TD class="author-text">openid-specs-ab@openid.net</TD></TR>
</TBODY></TABLE>
</BODY></HTML>